A Tale of Two Ransomware-as-a-Service Threat Groups

• Learn about INC and Lynx, two highly successful RaaS groups that share similar tactics and procedures, including a potential connection through shared code.
• Discover how these criminal groups try to justify their actions, one claiming to be a security service and the other pretending to avoid sensitive targets like hospitals and governments.
• Understand the key distinctions between the two groups, from their primary targets and affiliate models to the specific techniques they use to breach networks.

Ransomware distributors are bad enough, but there should be a special place in the dark web's basement that only offers ISDN connections and no Wi-Fi, reserved for those groups that insist their attack was a benign cybersecurity service or those who only attack entities that they say deserve to be struck. At least based on their logic.

King Orande, a Cyber Threat Intelligence (CTI) Analyst on the SpiderLabs team at Trustwave, A LevelBlue Company, recently broke down the operations of two ransomware groups, INC and Lynx. As far as Trustwave and the wider cybersecurity community can determine, the two are not connected; however, they do have some similar tactics and procedures.

Orande noted that INC has become one of the most successful ransomware-as-a-service (RaaS) groups since researchers first discovered it in July 2023. Lynx, another RaaS, is thought to have emerged in the third quarter of 2024, or shortly after INC placed its source code up for sale in underground forums for $300,000 in May 2024. This sale raised concerns that other cybercriminals might be able to buy and reuse or modify the code to develop new ransomware variants.

This timing has led to the speculation that the Lynx operators may have acquired the INC ransomware platform as their starting point, but there is no firm evidence that Lynx did, in fact, purchase the code, Orande said.

The groups appear to be opportunistic in nature, with each more or less focusing on a specific target industry, but at the same time not being too shy to also target a wide swathe of industries, including healthcare, business services, technology, government, and education. As of May 2025, Lynx has listed more than 270 organizations on their dedicated leak site (DLS), while INC has tallied 363 on its leak site.

We're Here to (Not) Help

Like many ransomware groups now, INC and Lynx ransomware operators have adopted the double-extortion scheme to place as much pressure as possible on their victims to pay the ransom demand. However, each also uses an additional ploy in an attempt to either justify its actions or take an ethical stance with its behavior.

Orande noted that INC has taken the first path, claiming it is, in fact, providing essential assistance to improving its victims' security posture by disclosing the full details of their attack methods in exchange for the ransom payment. The ransom demand is simply a request for payment for services.

Lynx also tries to assuage its guilty conscience by claiming it avoids attacking certain sectors, such as governments, hospitals, or non-profits. Lynx has even gone so far as to post a press release stating their intentions.

Similar But Different

Although the evidence that Lynx is using INC’s code is lacking, the code being used by each is similar, and the two groups’ victim profiles show significant overlap, Orande said. When it comes to the ransomware code in use, Lynx’s ransomware has a 48% overall code similarity with INC ransomware and 71% similarity in specific functions.

Lynx and INC concentrate their attacks in the US, UK, Canada, Australia, Germany, and France. INC primarily focuses on the healthcare sector, while Lynx frequently targets manufacturing; however, as stated earlier, each can be found attacking other sectors, targeting organizations where downtime is costly and pressure leads to quicker payouts.

The ransomware groups also share nearly identical capabilities. Each provides its members with a cross-platform ransomware builder that can be deployed across various operating systems such as Windows, Linux, and ESXi. Both ransomware variants utilize the same reliable encryption algorithms and support multiple encryption modes.

This allows their affiliates to adjust the speed and scope of their operations. One of the most important features of both ransomware strains is the inclusion of built-in commands that allow customization of the ransomware file's behavior.

Despite the overlapping code, capabilities, and a similar target base, the two groups do diverge in several important ways.

Lynx

Lynx stands out for its highly organized infrastructure, structured affiliate model, and the use of robust encryption techniques, Orande said. Affiliate recruitment efforts on underground forums include a strict vetting process for experienced penetration testers and intrusion teams, highlighting the group’s commitment to operational security and quality assurance.

Lynx is willing to give affiliates the lion’s share of any ransom proceeds, 80%, demonstrating a competitive model designed to attract and retain skilled cybercriminal partners.

Lynx affiliates benefit from a streamlined and feature-rich platform that allows them to configure victim profiles, generate custom ransomware builds, and manage data leak schedules through a single, user-friendly interface.

Lynx commonly disseminates its ransomware through a variety of cyberattack vectors. These vectors include:

• Phishing emails that deceive users into revealing sensitive information
• Malicious downloads that surreptitiously install the ransomware onto victims' systems
• Hacking forums where cybercriminals share information and resources.

With that noted, Lynx’s exact point of initial access remains unconfirmed; the extensive use of administrative credentials observed during lateral movement strongly suggests that they were compromised. Additionally, the repeated use of usernames such as “admin” and “administrator” throughout the intrusion indicates that the attackers may have exploited weak or default administrative accounts to gain entry and escalate privileges within the network.

Lynx affiliates also receive an "All-in-One Archive" containing binaries compatible with Windows, Linux, and ESXi, supporting a wide range of system architectures. This multi-architecture capability significantly expands the group’s ability to target organizations operating in varied IT environments.

INC

INC ransomware seems to use more straightforward techniques, Orande said. These include spearphishing and the purchase of valid account credentials, often obtained through Initial Access Brokers (IABs).

The group maintains a multilevel structure and utilizes custom ransomware, along with sophisticated techniques that involve abusing legitimate tools and exploiting vulnerabilities to gain initial access and then to move laterally through networks and deploy ransomware payloads. For example, in November 2023, the group exploited CVE-2023-3519, a critical vulnerability in Citrix NetScaler, to gain initial access to target environments.

By default, Lynx and INC ransomware encrypt all files on the system. However, it also provides attackers with the ability to customize the behavior of the ransomware file through command-line flags, offering greater control over the execution process.

Trustwave SpiderLabs considers INC and Lynx an interesting study as each is highly successful, which makes sense since they use a number of similar TTPs. At the same time, they attempt to present themselves as something they are not, which is a criminal organization created and operated to force innocent organizations into paying a ransom to have their data restored and network released.